I think it is perfectly reasonable to assume that users intend to not be tracked by the very large number of third parties they are involuntarily exposed to on the web.
Yahoo are resorting to this whole buzzword-laden meaningless rhetoric around ~user experience~ and ~value proposition~. That just reinforces the impression that the only reason anyone was prepared to go along with DNT was that they assumed that 99% of users weren't going to be in a position to express their ~user intent~ to not be tracked. Since, you know, most people have better things to do than to learn how to teach their computer about obvious preferences like "please don't spy on me".
Microsoft is simply making the benefits of the DNT scheme more accessible to its users. It's pretty telling that Yahoo is already backpedaling from respecting the users' intent, faced with the possibility that more than an insignificant fraction of users might actually be enabled to benefit from DNT by this decision.
(Edit: Personally I think rather than squabbling about DNT, browser vendors should be taking much more aggressive, technical steps to make tracking users harder, instead of having a default configuration that stops just short of transmitting the user's SSN via request header. Disabling features like user agent and referer headers for and quickly discarding cookies from untrusted (by individual user "intent", not based on SSL certs or anything) hosts would be a start.)
The benefit of the DNT scheme was to kill the lie that most users don't care. If 99% of users take positive action to change a default and say "Don't track me", it's believable. If a browser vendor says this, it's not.
Bear in mind that Do Not Track has _zero_ technical merit; it's equivalent to the "evil bit" prank RFC. Any merit it has must be political.
The value in DNT was going to be that we could convince advertisers that normal users do, in fact, care, and do, in fact, not want to be tracked. IE's decision is squandering what DNT attempts to communicate, and squandering that value. And so when you see advertisers _and_ web server developers rejecting IE 10's DNT indicator, that doesn't mean that the advertisers or web server developers are bad people -- that just means that you lost the politics.
That puts Microsoft in a bind. Sensible defaults are important; if you can guess what users want most of the time, then you should just do that.
In their shoes I would have done some focus groups, spending an afternoon with people and really educating them on the details of tracking, and what the pros and cons are for them. If at the end of it most typical users would have turned it on, then this would have been the right default.
After all, if places like Yahoo don't like it, they could ask people to turn it off. If Yahoo's right, then presumably most people would turn DNT off, or make an exception for them. But I suspect Yahoo knows that people don't want to be tracked, and that a lot of their profit comes from keeping their users in the dark.
> Sensible defaults are important; if you can guess what users want most of the time, then you should just do that.
That is a good general rule. In the case of DNT, the header was formulated specifically with the intent that the default would be off, regardless of what you expect the user to want, so that turning it on communicates individual user intent. This is a reason to ignore the general rule in this specific case.
A good related example would be license agreements. Most users want to ignore them entirely. Focus groups would indicate skipping them. But if you make a click-through license agreement invisible, while that's a better UX, the agreement is now completely legally invalid. In order for the agreement to be valid, you need the user to have an opportunity to read it (even if focus groups indicate nobody does).
And while you expect 100% of your users to accept the agreement, the default needs to be "No, I do not accept".
If Yahoo's right, then presumably most people would turn DNT off, or make an exception for them.
Nope, there are other reasons why one wouldn't turn it off: confusion, ignorance, laziness, etc. Everyone in tech support knows how hard it is to get users to perform simple tasks even with step-by-step guidance.
With Firefox, I use adblockplus, noscript and requestpolicy, along with some thing I forgot that wipes flash cookies and other persistent storage at the end of every session, and probably something else that I entirely forgot about.
But that does fuck all, apart from making me guess which third-party requests are instrumental to making a page I'm visiting for the first time properly, until it's some sort of concerted effort at a default behavior for browsers so that websites are coerced to adapt to it to stay competitive. So it's up to those with browser marketshare.
Can't you also change your cookie settings to require your to accept any cookie that wants to be set? I think we'd see less cookie abuse these days if 10 years ago browsers defaulted to asking users to store cookies. You can also disable all third-party cookies, which can help minimize tracking also.
I'm pretty sure that Microsoft is doing this to hurt Google and hurting Google's ability to deliver a better ad experience. As well, it gets to paint itself as fighting for privacy, etc, so it's a double-win for them.
While it is reasonable to assume a user's intent, it is also reasonable to assume a content publisher's intent to monetize their content. An advertising-funded web is the reality of today, unless Microsoft is proposing a radical change in this model.
The concept of Do Not Track, despite the emotional appeal of the name, essentially seems to be a compromise between privacy and advertising, keeping the advertising-based model intact while also allowing the extremely privacy focused (minority set of) individuals to have things their way.
Turning DNT on by default is a hardline approach and violates the spirit of this compromise. Instead, there needs to be more effort to constructively work with content providers, privacy advocates and advertisers to come up with a more explicit protocol that satisfies everyone's interests.
Your theory appears to be that the minority of privacy-focused individuals are weird outliers in preference. but my impression is that they are weird outliers in knowledge.
When I talk with non-technical relatives about their internet use, privacy is a major issue for them.
They know, for example, that Facebook knows a lot about them, which scares them. They don't know how much ad providers track them, but if you tell them they're more scared. Facebook is at least a known entity that provides them some benefit. Shadowy private companies profiling them is a lot harder to get comfortable with.
I agree there is a problem with the lack of knowledge, but I wouldn't assume that it is all regarding "shadowy private companies". A number of public privacy scares like the concern of Gmail reading people's email seem to fall into the same category.
Again, there are good and bad players on all sides, but my point was simply that ignoring reality and making a complete swing to no monetization for content seems to assume all players on one side are bad. A more open standard that allows clear knowledge is probably a better direction for Microsoft to pursue.
I think it is perfectly reasonable to assume that users intend to not be tracked by the very large number of third parties they are involuntarily exposed to on the web.
I don't. In my limited experience, most users don't care nor mind unless they can see the immediate downsides to that.
How is a cookie 'just short of transmitting the user's SSN'? Microsoft itself, for example, doesn't support DNT for all browsers in its advertising network Atlas.
> How is a cookie 'just short of transmitting the user's SSN'?
In that it's fairly straightforward to track a user across multiple sites and sessions with a cookie, almost as easy as if the browser was already sending a user-specific identification number along on its own.
I didn't want to present Microsoft as the good guys here either, they're playing their own game and I have no illusion that they really care about their users' privacy.
1) They can often be used to identify you, especially when combined with other HTTP headers or information scraped from the client via JS[0].
2) They are abused by web developers who wish to lock out web browsers that they do not support. This is generally considered to be against the spirit of the web, though is sometimes useful for optimising page load times (for example, not sending IE conditional comments to all browsers).
Thanks. I didn't realize that the combination of headers could produce such a specific target. Apparently my browser fingerprint appears to be unique among the 2,474,746 tested so far.
> Recently, Microsoft unilaterally decided to turn on DNT in Internet Explorer 10 by default, rather than at users’ direction.
> It basically means that the DNT signal from IE10 doesn’t express user intent.
Blatantly false. Not only are you presented with the option to turn off DNT on first use (that takes up the entire screen), but I'd imagine users would choose to have advertisers track them about 1-10% of the time if made to choose. So a default On setting does represent the consumer to a degree that you can't ignore.
I also did a double-take on that first sentence you quoted. I'm pretty sure I read earlier that they will be prompting first-time users on what their preference will be, and that the "default" basically just means which position that switch will be in when the choice is presented. However, I did some quick fact-checking and I couldn't find anything to back that up; if you don't mind, where did you find that IE10 presents that option?
In all the comments here, I can't find anybody who thinks that Yahoo is doing the right thing here. Well, I do. I think what Yahoo is doing is the right thing for them, for their users, and for the web.
If the web is going to be ad supported, then its going to have to be targeted advertising or its going to be both shit and annoying. Remember "punch the monkey", or ads that took over the entire screen? Now, through tracking, we are able to get really really good ads - things you might even be interested to see and buy.
If DNT was supported by everybody and on by default, that's the end of online advertising in its current form. So we can choose from the following options: ignore DNT, ignore DNT for IE10, or go back to non-targeted advertising.
Let's assume the last of those, which leads us to the following options: revert to shit ads, make users pay for content directly, or pack up your content-producing company and go home. None of these are best for the users or the web.
The DNT founders know this - that's why it was default null in the spec and in Firefox. IE10 is doing this deliberately even though they know it can't work, and there are choices here: they are trying to improve the world but are incredibly wonderfully naive, they want to undermine Google, or they want to undermine DNT. I'd love to believe its the first, but no-one has ever claimed that about MS.
That ignores that user tracking wasn't possible for the first 150 years of ad-supported publishing.
I also think your slippery-slope argument is excess drama. The notion that untracked users force us to a world of shitty ads is implausible to me. When I saw punch-the-monkey ads disappear, it was because publishers realized that terrible ads destroyed the value of their brand.
I agree that money has shifted toward more tightly tracked ads. But if large portions of the readership are untracked, there's no reason to think that the money won't shift back. Vendors won't stop advertising, and they won't go back to print.
And really, it's not clear that the current model is sustainable anyhow. CPMs have been falling for years. I was just talking with a founder of a (now-sold) ad-supported content company. He said that there's no way he'd do that again; rates are low and are headed lower. And there's much more competition for eyeballs from SEO-optimized, attention-getting bullshit.
Unfortunately, if nobody pays for the content, it will go away. That's probably bad (lets leave aside discussions of how high the quality on ad-supported content is, and presume that there are people who like to read it).
I know people celebrated Microsoft's decision to do this in IE10, but this is what many of us were saying would happen. The relationship with the Do Not Track flag was always tenuous so flagrantly ignoring the spec (which indicates that default on is wrong) was simply going to cause companies to ignore the flag completely.
Regardless, this whole thing is silliness in the extreme. I wonder if this means yahoo is going to start allowing requests with the evil bit set as well :).
> DNT fits naturally into this process. Customers will receive prominent notice that their selection of Express Settings turns DNT “on.” In addition, by using the Customize approach, users will be able to independently turn “on” and “off” a number of settings, including the setting for the DNT signal.
They support the NAI which enables you to turn off various tracking bits. Let's not go around shitting on a whole type of business wholesale because of a few bad actors, hm?
You say "they" like all advertisers support this initiative. They don't. I was careful not to include all.
I can assure you that not everyone will follow it. Google is a part of NAI and they were found guilty by the FTC to be circumventing Safari preferences.
Maybe Yahoo should respect IE10's DNT defaults, but display huge modal screens that tell the user "Your browser vendor is inhibiting our value proposition. Please allow us to track your behavior for maximum value extraction."
Took me a second to figure out this whole DNT business.
So basically it is just an HTTP header your browser sends to the server that tells it not to track. Seems kind of like the wrong way to do it. If I was some nefarious website wouldn't I have straight up ignore it? There isn't any incentive for me to not track a user. In fact aren't a lot of companies around advertising based on the fact that you CAN track users?
The thing about DNT is that the advertising industry (not malicious/shady websites) are supportive of it as a voluntary standard that they will comply with it. All the major players are saying they won't play nicely with IE10 due to the default on flag instead of a default null (no intent expressed) flag.
In other words meaning they're not going to support it...
"We're only going to support it if it's not turned on by default" is not really supporting DNT. It really shows they're business model depends on people being computer illiterate. And now that DNT is on by default they're revolting because they know few people will ever go out of their way to opt-in and get tracked.
> "We're only going to support it if it's not turned on by default"
No, they are only going to support it if it is _actually_ the users intent, not a vendors intent. This is completely reasonable and the actions of MS are undermining the efforts to get this voluntary standard going. Keep in mind, DNT is completely voluntary.
One could just as easily argue that a user should only be tracked if it's their explicit intent to be tracked, in which case DNT should be on unless the user turns it off. That makes more sense to me, and I think a lot of people would agree. Obviously, Microsoft thinks that should be the case.
One could also argue that Microsoft is not being pragmatic in expecting these companies to continue to honour it if it is on by default. At least when it is off by default, it will be honoured if a user opts to turn it on.
I agree, additionally it's not even really "off" by default. The default in the spec right now is a null value which indicates "we don't know" which is actually accurate until the user makes a choice.
Doesn't that make sense? If someone doesn't care enough to go in and turn on DNT, why does it matter if they're tracked? The default should obviously be 'null', that's the most equitable choice for all parties involved.
Websites don't track people, pervasive analytics, ad and social networks do. Since they have to be included by the website owners, they're usually not "scammers-r-us" but legal companies like Google, Facebook, KISSmetrics, etc.
Supposedly, the incentive for them not to track users who have DNT enabled is the PR hit.
They key thing to understand is that if IE10 did not have DNT enabled, that the default setting would be _just as arbitrary_ and would still therefore not "map to user intent" in their words. There has to be a default in one direction or the other.
That, and many users will use IE10 knowing that it ships with DNT pre-enabled. To ignore this is totally immoral and unethical. This is totally shameful.
>They key thing to understand is that if IE10 did not have DNT enabled, that the default setting would be _just as arbitrary_ and would still therefore not "map to user intent" in their words. There has to be a default in one direction or the other.
The default is to send a null value in the header meaning that no intent has been expressed, that's not arbitrary.
> That, and many users will use IE10 knowing that it ships with DNT pre-enabled. To ignore this is totally immoral and unethical. This is totally shameful.
Most users will have no idea what DNT is, nor will they bother to switch the flag. MS setting it to do not track by default undermines the effort being put into the standard. No one is going to comply with a voluntary standard if one of the largest browser vendors turns it on by default.
> The default is to send a null value in the header meaning that no intent has been expressed, that's not arbitrary.
My statement that there has to be a default in "one direction or the other" is clearly wrong, as you've indicated. I would still argue that a null value is arbitrary and does not map to the user's wishes. My opinion is that having it 'on' is no more or less arbitrary than having no wishes expressed.
Again, fair point - but then by definition the second clause of my statement is correct - the user's wishes are unknown, so any direction taken is then... arbitrary? :)
At any rate, you seem well-versed in this area, so let me ask you a question: what is the difference the website's behavior between a "null" and a "track me, please" value in the header?
It's not binary, it's ternary. 1 opt out, 0 opt in, null unknown choice.
In practice the difference between null and don't track me please are probably non existent. However, in the future if this were to take off it's possible that someone would come up with creative benefits/uses for tracking that provide incentive for users to be tracked.
edit: Don't think I addressed your question. The difference between null or tracking ok and don't track are likely just to be generic advertisements shown to a user instead of targeted ads, the prevention of some back end selling of user interaction data and some other things that most people have no idea is going on. If you can't track users across sites you lose some of your ability to build up profiles for them. Advertisers will argue that the ads will have significantly less value without those secondary or tertiary ways to monetize eyeballs and I suppose you could see some decline in what advertisers are willing to pay for impressions. Ultimately I've been removed from advertising for a few years so I'm not entirely sure how much it will make a difference.
Nope. For the past 10-20 years, browsing has worked as if there were not a DNT signal. So clearly "default off" is not "just as arbitrary". Yahoo is right.
Another way to look at it: this is the current status quo, and Yahoo is not going to make a radical change to its business because Microsoft changed a default setting in its web browser.
I had no reasonable expectation that Yahoo would handle this differently.
Yet somehow software developers are quick to screech that users agreed to 'license agreements' that have the same weight, right? (Words on a screen that everyone just 'clicks through blindly'.)
You can't have it both ways. Either having something show up and clicking next manifests consent or it doesn't. IE is extremely clear that DNT will be turned on and lets you opt out of doing so. Users are expressing intent by using the default settings; it isn't like it's a hidden default that they don't tell anyone about.
I don't know any developers that believe that however I've met many managers and attorneys that believe it. Common industry practices should be laid at the feet of those responsible.
Beyond licensing agreements though, people won't read instructions, disclaimers, warnings, etc. It's not just one thing, and when designing things at work one of our common points to try and make things more clear includes "people don't read" so how can we improve this.
> In our view, this degrades the experience for the majority of users and makes it hard to deliver on our value proposition to them.
I know Yahoo! has to maintain their business which depends on things like ads and content delivery; but to say it with such sterile marketing jargon just makes me nauseous.
How about you guys do what everyone else has had to do since the beginning; create something awesome and let people use it with a minimal barrier to entry. Right now, Yahoo! is like a giant skyscraper tenented only by iPhone case kiosks.
The problem is that Yahoo's customers aren't their users. Yahoo's users are the veal calves. They don't seem to understand what to do with businesses where the customers are the users. Flickr, for example.
Issue aside, I'm curious about this site itself. The first thing I noticed is that they're running a pretty old version of WordPress. They're on 3.0.3 (December 2010) when the latest version is 3.4.2. For security purposes, I'm surprised they don't stay on top of that.
Also I was really confused if this was an official Yahoo site. No real mention anywhere on it. After some quick digging, it appears to be. But I'm surprised it's not hosted under the Yahoo.com domain somewhere.
The only reason Microsoft is making DNT the default is because it will directly impact Google's bottom line (and Microsoft loses money in its online division, so they won't hurt as much). Since when did Microsoft really start caring about the users?
I left this as a comment on their blog which I assume will never be approved:
"We fundamentally believe that the online
experience is better when it is personalized"
Um, doing so is not impeded by DNT as that does not relate to ads. That a bit of a white-lie to imply that it is they way you've worded that first paragraph.
"It basically means that the DNT signal
from IE10 doesn’t express user intent."
Actually I think it does - you think your average person on the street wants targeted ads? Seriously - who is writing this.
"In principle, we support “Do Not Track” (DNT)"
In principle China, Syria, Iran etc support Human Rights...
"Ultimately, we believe that DNT must map to
user intent — not to the intent of one
browser creator, plug-in writer, or third-
party software service."
Again - seriously - what reality are you apart of?
I had hoped for a Yahoo turn-around of sorts, I really did. You've lost me.
Both side are playing an Orwellian game, pretending they are concerned with users intentions & desires when in reality both are assuming that users have no intents and desires coherent enough to act on.
They are fighting over the default because they know that in 95% of cases, the default is all that matters.
How are ads not part of the online experience? (At least for everyone not using Adblock). Of course they are. Hell, many click on them!
Actually I think it does - you think your average person on the street wants targeted ads?
It depends. If the alternative is paying or not having the content, absolutely. In my limited experience, people don't really care or mind being tracked unless they can see the drawbacks in their face.
It's obvious that Microsoft doesn't have as much to lose with a DNT default setting in IE10 when their profit center is tied to Windows and business software. They have MSN.com and Bing but both are money losers and at this point, hurting Google and Yahoo might be a better strategy even if it means "cutting off your nose to smite your face". They also hope that this will stem the defects from IE and help sell more Windows 8 upgrades and Surface tablets in general.
In regards to how people feel about tracking, people are always asked in isolation about tracking and of course everyone say's they hate it and they don't want to be tracked. The better question is asking them if they will accept the alternative. Scared of Facebook? Put a $5 fee per month to replace lost ad revenues and users will depart en masse. The reality is a big chunk of the internet and the services people rely on, love, and use daily are ad supported and if given the alternative of a free ad supported model vs. a paid model, they would choose ad supported.
To be honest, i actually don't care if yahoo tracks me on yahoo properties - in fact, i expect them to. What i DO NOT want is for them to track me across the entire internet through injected javascript, iframes and dedicated tracking domains that serve same-origin analytic scripts from hundreds of sites - that is unethical.
Currently using adblock plus, noscript and ghostery on my FF setup with specific additional controls in ABE for Twitter and FB domains.
it's also a very useful feature of the internet, that browser's like safari 6 have broken. there are other uses to third party cookies besides tracking - a/b testing. many web properties are shared between multiple top level domains. ecommerce sites will do this for example to sell different product lines, but they might want to have similar user preferences shared between the top level domains... you can't do that if you kill third party cookies... or block the same features that we'd use in ad networks to track you... IE10 isn't so bad it's just saying don't do this... so - we'll happily ignore it. safari 6 is the real story that hasn't gotten enough attention in comparison... thankful it's not as widely used or is it... iphone,ipad...
Am I mistaken or did the FTC not just fine Google $22.5 million over the exact same behavior for a considerably smaller share of web users.
If I'm Microsoft I am making a very public appeal to the FTC over this Monday morning. $22.5 million is a lot more money to Y! than Google. And as wary as consumers are of Microsoft long term they've got to degrade the Google/Firefox brand to start gaining any traction. Why not go full bore on tracking/creepiness?
The FTC reached a settlement with Google this year for a $22 mil fine because Google violated a previous consent order over Buzz.
Yahoo is not under an existing consent order with the FTC. For the most part, the FTC does not get fines unless a company violates an existing consent order.
Furthermore, Google didn't get fined because it circumvented Safari's privacy settings, but rather, because it lied about the extent to which users could opt out of tracking.
I've not seen anything that suggests that Yahoo is lying about the extent to which they will respect or ignore the DNT header.
The FTC's deception powers aren't going to be of much use against Yahoo here.
(Disclosure: I worked at the FTC between 2009-2010, and worked on the investigations of Facebook, MySpace and Twitter).
Yahoo are resorting to this whole buzzword-laden meaningless rhetoric around ~user experience~ and ~value proposition~. That just reinforces the impression that the only reason anyone was prepared to go along with DNT was that they assumed that 99% of users weren't going to be in a position to express their ~user intent~ to not be tracked. Since, you know, most people have better things to do than to learn how to teach their computer about obvious preferences like "please don't spy on me".
Microsoft is simply making the benefits of the DNT scheme more accessible to its users. It's pretty telling that Yahoo is already backpedaling from respecting the users' intent, faced with the possibility that more than an insignificant fraction of users might actually be enabled to benefit from DNT by this decision.
(Edit: Personally I think rather than squabbling about DNT, browser vendors should be taking much more aggressive, technical steps to make tracking users harder, instead of having a default configuration that stops just short of transmitting the user's SSN via request header. Disabling features like user agent and referer headers for and quickly discarding cookies from untrusted (by individual user "intent", not based on SSL certs or anything) hosts would be a start.)